← Back to Groomly

Groomly — Privacy Policy

Last updated: May 3, 2026

1. Who We Are

Groomly ("we", "us", "our") is a SaaS platform for independent pet groomers, operated by Manuel Frauca, a self-employed professional (autónomo) based in Spain. We are the data controller for the personal data described in this Privacy Policy.

Contact: hello@groomly.app | Website: groomly.app

As a controller established in the European Union, Groomly processes personal data in compliance with Regulation (EU) 2016/679 (GDPR) and applicable Spanish data protection law (Ley Orgánica 3/2018, LOPDGDD).

2. Who This Policy Covers

This Privacy Policy applies to two categories of individuals:

  • Groomers: pet grooming professionals who register for a Groomly account ("Groomer Users")
  • Clients: pet owners whose appointment details are entered into the platform by a groomer ("Client Users")

Important notice for Groomer Users: When you enter your clients' personal data (name, phone number, email) into Groomly, you become a data controller for that data under GDPR. You are responsible for ensuring you have a lawful basis to share your clients' data with Groomly (e.g. legitimate interest in protecting your business, or explicit consent). Groomly acts as your data processor for client data. See Section 13 (Data Processing Agreement) for details.

3. Data We Collect

3.1 Groomer Users

When you register and use Groomly as a groomer, we collect:

  • Name and email address (for account creation and login)
  • Business name
  • Stripe account ID (for payment processing — we do not store bank details)
  • Configuration preferences (no-show fee amount, cancellation window)
  • Appointment records you create (client names, services, dates, prices)
  • Usage data and logs (login times, actions taken in the dashboard)

3.2 Client Users

When a client confirms an appointment through a Groomly link, we collect:

  • Name
  • Phone number
  • Email address (if provided by the groomer)
  • Stripe Customer ID and Payment Method ID (tokenized references — we never store full card numbers)
  • Appointment confirmation status and timestamp

We do NOT collect, store, or have access to: full card numbers, CVV codes, or any raw payment card data. All card data is handled exclusively by Stripe under PCI-DSS compliance.

3.3 Automatically Collected Data

When you use the Service, we may automatically collect:

  • IP address and browser type
  • Pages visited and actions taken within the platform
  • Device and operating system information
  • Cookies (see Section 9)

4. Legal Basis for Processing (GDPR)

We process personal data on the following legal bases under Article 6 GDPR:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service to groomer subscribers and to execute appointment confirmation for client users
  • Legitimate interests (Art. 6(1)(f)): Processing client data to fulfill the groomer's legitimate interest in protecting their business from no-shows, Groomly's interest in providing and improving the Service, and fraud prevention
  • Legal obligation (Art. 6(1)(c)): Where processing is required by applicable law (e.g. tax and accounting records under Spanish law)
  • Consent (Art. 6(1)(a)): For any marketing communications, where explicitly obtained

5. How We Use Your Data

We use the data we collect to:

  • Create and manage groomer accounts
  • Generate and process appointment confirmation links
  • Process payments and no-show charges via Stripe
  • Send transactional notifications related to appointments and charges
  • Provide customer support
  • Detect and prevent fraud and abuse
  • Comply with legal and tax obligations
  • Improve and develop the Service

We do NOT sell your personal data to third parties. We do NOT use your data for advertising purposes on behalf of third parties.

6. Data Sharing and Third-Party Processors

We share data only with trusted third-party processors necessary to operate the Service:

Stripe (stripe.com) Payment processing, card-on-file storage, and payouts. Stripe is PCI-DSS Level 1 certified. Stripe processes data under its own Privacy Policy and as a processor under GDPR. Data may be transferred to the USA under Stripe's Standard Contractual Clauses.

Supabase (supabase.com) Database and authentication hosting. Our Supabase instance is hosted in the European Union (West EU — Ireland region). Supabase processes data under its Privacy Policy and GDPR Data Processing Agreement.

Vercel (vercel.com) Application hosting and deployment. Vercel is SOC 2 Type II certified and processes data under its Data Processing Agreement.

All third-party processors are contractually bound to protect your data and use it only for the purposes we specify. We do not share data with any other third parties without your explicit consent, except where required by law.

7. International Data Transfers

Groomly is operated from Spain (EU). Some of our third-party processors may transfer data outside the EEA (e.g. Stripe in the USA). All such transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision 2021/914)
  • Adequacy decisions where applicable
  • Supplementary technical and organisational measures including encryption and access controls

8. Data Retention

We retain personal data for the following periods:

  • Groomer account data: For the duration of the subscription plus 5 years (Spanish tax law — Ley 58/2003 General Tributaria)
  • Appointment and payment records: 5 years from the date of the transaction (Spanish tax law requirement)
  • Client confirmation data: 24 months from the appointment date, or until the groomer's account is deleted, whichever comes first
  • Server logs: 90 days
  • Deleted account data: 30 days in read-only state, then permanently deleted

After retention periods expire, data is securely and permanently deleted or irreversibly anonymised. You may request early deletion of your data by contacting hello@groomly.app, subject to our legal retention obligations.

9. Cookies

Groomly uses the following types of cookies:

  • Essential cookies: Required for the platform to function (session authentication, CSRF protection, security tokens). These cannot be disabled as they are strictly necessary.
  • Analytics cookies: Used to understand how the platform is used (e.g. page visits, errors, feature usage). These are anonymised where possible and do not track you across third-party sites.

We do not use advertising cookies, social media tracking pixels, or third-party remarketing cookies. You can manage non-essential cookie preferences through your browser settings. Disabling essential cookies will prevent the platform from functioning correctly.

10. Your Rights Under GDPR

If you are located in the EEA or UK, you have the following rights:

  • Right of access (Art. 15): Request a copy of the data we hold about you
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17): Request deletion of your data, subject to legal retention requirements
  • Right to restriction (Art. 18): Request that we limit how we use your data while a dispute is resolved
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON or CSV)
  • Right to object (Art. 21): Object to processing based on legitimate interests
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing
  • Right to lodge a complaint: With the Spanish Data Protection Authority (AEPD) at aepd.es, or with the supervisory authority in your country of residence

To exercise any of these rights, contact us at hello@groomly.app. We will respond within 30 days of receipt. We may ask you to verify your identity before processing the request.

11. Rights of Client Users (Non-EEA)

If you are a client user located outside the EEA (e.g. in the United States):

  • California residents: You have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what data we collect, the right to delete your data, and the right to opt-out of the sale of personal information. Groomly does not sell personal information.
  • Virginia, Colorado, Connecticut, Texas, and other US states with privacy laws: We honour equivalent rights to access, delete, and correct your personal data upon verified request.
  • All US clients: You may contact hello@groomly.app to request access to or deletion of your data. We will respond within 45 days.

12. Data Security

We implement appropriate technical and organisational measures (TOMs) to protect your personal data:

  • Encryption in transit: All data is transmitted over HTTPS/TLS 1.2 or higher
  • Database security: Row-Level Security (RLS) enforced at the database level — each groomer can only access their own data
  • Payment security: Stripe handles all card data under PCI-DSS Level 1 compliance — Groomly never accesses or stores raw card numbers
  • Access controls: Access to production data is restricted to authorised personnel only
  • Authentication: Secure session management via Supabase Auth with token rotation
  • Regular reviews: We review our security practices periodically and update them as needed

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the AEPD within 72 hours of becoming aware, and will notify affected users without undue delay where required by GDPR Art. 34.

13. Data Processing Agreement (Groomer Users)

Under GDPR, when Groomly processes the personal data of your clients on your behalf, Groomly acts as a data processor and you (the groomer) act as the data controller for that client data. This section constitutes the Data Processing Agreement (DPA) between you and Groomly as required by GDPR Art. 28.

13.1 Subject Matter and Duration

Groomly processes client personal data (names, phone numbers, email addresses, appointment details, and Stripe payment tokens) on behalf of the groomer for the purpose of providing the no-show protection service. Processing occurs for the duration of the groomer's subscription.

13.2 Nature and Purpose of Processing

Processing is carried out to: store appointment records, generate confirmation links, process payment card setup, send automated notifications, and charge no-show fees as instructed by the groomer.

13.3 Groomer Obligations as Controller

As the data controller for your clients' data, you agree to:

  • Have a lawful basis for sharing client personal data with Groomly (legitimate interests or consent)
  • Inform clients that their data will be processed by Groomly for appointment confirmation purposes
  • Not instruct Groomly to process client data in any unlawful manner
  • Respond to any data subject requests from your clients regarding their data

13.4 Groomly Obligations as Processor

Groomly agrees to:

  • Process client data only on documented instructions from the groomer (i.e. the appointments you create)
  • Ensure that personnel with access to client data are bound by confidentiality obligations
  • Implement the security measures described in Section 12
  • Delete or return client data upon termination of the groomer's account
  • Assist the groomer in responding to data subject rights requests where technically feasible
  • Not engage additional sub-processors beyond those listed in Section 6 without informing groomer users

14. Children's Privacy

Groomly is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at hello@groomly.app and we will delete it promptly.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify groomer users by email at least 14 days before changes take effect and update the "Last updated" date. Continued use of the Service after changes become effective constitutes acceptance. If you do not agree, you may cancel your subscription before the effective date.

16. Contact and Supervisory Authorities

For any questions, rights requests, or concerns regarding this Privacy Policy:

Groomly — Data Controller Operated by: Manuel Frauca (Autónomo, Spain) Email: hello@groomly.app Website: groomly.app

Spanish supervisory authority: Agencia Española de Protección de Datos (AEPD) Website: aepd.es | Phone: +34 912 663 517 | Address: C/ Jorge Juan, 6, 28001 Madrid

EU Online Dispute Resolution: ec.europa.eu/consumers/odr